Article ID:5879
OpenVPN on an RV160 and RV260 Router
Objective
The objective of this article is to guide you through setting up OpenVPN on your RV160 or RV260 router as well as the VPN client setup of OpenVPN on their computer.
Applicable Devices
RV160
RV260
Software Version
1.0.00.13
Table of Contents
Setting up a Demo OpenVPN on an RV160/RV260 Router
Setting up OpenVPN on an RV160/RV260 Router
Logging in With a Self-signed Certificate after Setting up Demo OpenVPN
OpenVPN Client Setup on Computer
Introduction
OpenVPN is a free, open-source application that can be set up and used for a Virtual Private Network (VPN). It uses a client-server connection to provide secure communications between a server and a remote client location over the internet.
OpenVPN uses OpenSSL for encryption of UDP and TCP for traffic transmission. A VPN provides a secure tunnel of protection, which is less vulnerable to hackers since it encrypts data sent from your computer through the VPN connection. For example, if you are using WiFi in a public place, such as in an airport, it keeps your data, transactions, and queries from being seen by other users. Much like HTTPS, it encrypts data sent between two end points.
One of the most important steps in setting up OpenVPN is obtaining a Certificate from a Certificate Authority (CA). This is used for authentication. Certificates are purchased from any number of third party sites. It is an official way to prove that your site is secure. Essentially, the CA is a trusted source that verifies that you are a legitimate business and can be trusted. For OpenVPN you only need a lower level certificate at a minimal cost. You get checked out by the CA, and once they verify your information, they will issue the certificate to you. This certificate can be downloaded as a file on your computer. You can then go into your router (or VPN server) and upload it there. Please note, clients don't need a Certificate to use OpenVPN, it is just for verification through the router.
Prerequisites
Install the OpenVPN application onto your system. Click here to go to the OpenVPN page.
More information on OpenVPN can be found here. These websites contain a lot of detail about OpenVPN and answers to many questions you may have.
Note: This setup is specific to Windows 10.
Once you have OpenVPN installed, the application should appear on your desktop or as a small icon on the right side of the task bar. OpenVPN clients will also need this installed.
Ensure you have the proper system time set up on all devices. The proper system time must be completely synced at the router before the creation of a certificate. This is often done automatically, but if you run into issues, this is a good place to check.
Setting up a Demo OpenVPN on an RV160/RV260 Router
If you want to try out OpenVPN before you pay money from a CA, you can create a self-signed certificate. This is a no-cost way to see if OpenVPN is something you would like to deploy for your business. If you already know you would like to purchase a CA, you can skip this section of the article and go directly to Setting up OpenVPN on a RV160/RV260 Router
Step 1. Log into the router using your credentials. The default user name and password are cisco.
Note: It is highly recommended that you change all passwords to something more complex. Otherwise, it is like leaving the key to your locked door on the doorstep.
Step 2. It is a requirement that you obtain a certificate on the router. Navigate to Administration > Certificate >Generate CSR/Certificate... This is how to create the request for a certificate.
Step 3. Make a request for a CA Certificate.
Select CA Certificate from the dropdown menu
Enter a Certificate Name
Enter the IP address, Fully Qualified Domain Name (FQDN), or Email. Entering the IP address is the most common choice.
Enter your Country
Enter your State
Enter your Locality Name, usually your city
Enter your Organization Name
Enter your Organization Unit Name
Enter your email address
Enter Key Encryption Length, 2048 is recommended
Click the top right Generate button.
Step 4. You also need a server certificate. This Certificate Signed by CA Certificate will be signed by the CA certificate you just created.
Step 5. Make a request for a Certificate Signed by CA Certificate.
Select Certificate Signing Request from the dropdown menu
Enter a Certificate Name
Enter the IP address, Fully Qualified Domain Name (FQDN), or Email. Entering the IP address is the most common choice.
Enter your Country
Enter your State
Enter your Locality Name, usually your city
Enter your Organization Name
Enter your Organization Unit Name
Enter your email address
Enter Key Encryption Length, 2048 is recommended
Choose the proper Certificate Authority from the dropdown menu
Click the top right Generate button
Step 6. Navigate to System Configuration > User Groups. Select the plus icon to add the new group.
Step 7. Enter the name of the Group, click On for the radio button to turn on OpenVPN. Click Apply.
Step 8. Navigate within the System Configuration menu and click on User Accounts. Under Local Users, Click on the plus icon.
Step 9. Fill out the information below. Make sure to select OpenVPN from the dropdown menu. Click Apply.
All of the dependencies are complete and the router can now be configured for OpenVPN.
Step 10. Navigate to VPN > OpenVPN. The OpenVPN page opens. Complete each box on the page, making sure to select the previously created certificates from the dropdown menu.
Check the Enable box. Select the Interface that is going to allow in traffic. In this case a Wide Area Network (WAN), and select a Certificate Authority (CA) Certificate.
Select the CA Certificate from the dropdown menu
Select the Server Certificate you downloaded from the dropdown menu
Select Client Authentication. If you select Password they need to authenticate with a password. If you select Password + Certificate, the client must also have a certificate. This is more secure but adds to the cost of the VPN as they would need to purchase a separate CA.
Enter the Client Address Pool. Choose an IP address on a Network subnet that isn't used anywhere else in the company. You select out of the reserved ranges and choose a range not used anywhere else.
Choose the form of Encryption. Make sure the encryption is the same as the client. DES and 3DES are not recommended and should only be used for backwards compatibility.
Choose Split tunnel if you only want to specify which traffic goes through the VPN. For a VPN, a split tunnel is necessary. Full Tunnel Mode is selected in other situations when you want all client traffic to go through the VPN.
Step 11. Scroll down the page and fill out the following
The DNS1 IP address could be a dedicated internal DNS server, the same IP address of your default gateway provided by your Internet Service Provider (ISP), on a virtual machine, or a trusted DNS server out on the internet.
Step 12. Click Apply to save the configuration at the router.
Step 13. Stay on the same page and scroll further. Generate the configuration template that is to be installed on the OpenVPN client. This file has an .ovpn extension and will be used by the OpenVPN client. Check the box to Export client configuration template (.ovpn) and click Generate. This downloads the file onto your computer.
Step 14. Navigate to Status and Statistics > VPN Status. You have the ability to scroll down for more detailed information.
The next section of this article is important to review, as it explains how to log in with a self-signed certificate.
Logging in With a Self-signed Certificate after setting up Demo OpenVPN
When you log in with a self-signed certificate, you may see a warning popup when you attempt to log in. You will need to click Advanced, Proceed, Trust, or another option depending on your web browser in order to proceed.
At this point you may receive a warning that it is unsafe. You can choose to proceed, add exception, or advanced. This will vary by web browser.
In this example, Chrome was used for a web browser. This message appears, click Advanced.
A new screen will open and you need to click on Proceed to yourwebsite.net (unsafe)
Here is an example of accessing the device warning when using Firefox as a web browser. Click on Advanced.
Click Add Exception...
Finally, you will have to click on Confirm Security Exception.
The router is now configured with all the parameters necessary to support an OpenVPN Client connection. Since you have already downloaded the client configuration template to your device, the one that ends in .ovpn, you can move on to the section Open VPN Client Setup on Computer. If you decide to deploy OpenVPN for your company, you can follow the steps in this next section.
Setting up OpenVPN on an RV160/RV260 Router
This is a more complicated process as it involves getting a CA from a third party, which costs money. You also need to send the VPN client configuration template, ending in .ovpn, to all clients so they can set up on their device. Clients need several settings the same as the router in order for them to communicate. The best part is that for minimal cost, you and your employees can use the internet and conduct business more securely.
Step 1. Log into the router using your credentials. The default user name and password are cisco.
Note: It is highly recommended that you change all passwords to something more complex. Otherwise, it is like leaving the key to your locked door on the doorstep.
Step 2. It is a requirement that you obtain a certificate. Navigate to Administration > Certificate > Generate CSR/Certificate... This is how to create the request for a certificate.
Step 3. Make a request for a Certificate Signed by CA Certificate. This can be found by navigating to Administration > Certificate.
Select Certificate Signing Request from the dropdown menu
Enter a Certificate Name
Enter the IP address, Fully Qualified Domain Name (FQDN), or Email. Entering the IP address is the most common choice.
Enter your Country
Enter your State
Enter your Locality Name, usually your city
Enter your Organization Name
Enter your Organization Unit Name
Enter your email address
Enter Key Encryption Length, 2048 is recommended
Click the top right Generate button
Step 4. Select to Export it by clicking the up arrow under Action.
Step 5. This screen will appear. Click Export.
Step 6. Select Open with and Notepad (default) from the dropdown menu. Click OK.
Step 7. An XML File will open.
Note: Make sure the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST are each on their own lines as shown above.
Step 8. At the top of the screen click Edit and select Copy from the dropdown menu.
Step 9. Choose a reputable third party site to make the certificate request. You will need to paste the copied XML file as part of the request.
Note: If you have an internal certificate server on your network you can use that instead, however this is not common.
Step 10. Once you have been verified, you can choose Download certificate.
Step 11. Click the radio button to Save File and Click OK.
Step 12. Once it has been saved, select the radio button for that certificate and click on the down arrow.
Step 13. This screen will open. Select Browse....
Step 14. Choose the file of the certificate and click Open.
Step 15. Enter the Certificate Name to import and click Upload.
Step 16. You will receive a notification that the certificate successfully imported. Click OK.
Step 17. Navigate to Administration > Certificate. The certificate has been loaded.
Note: In this example, a local certificate server was used.
Step 18. Navigate to VPN > OpenVPN. The OpenVPN page opens. Complete the following with your information.
Check the Enable box. Select the Interface that is going to allow in traffic. In this case a Wide Area Network (WAN), and select a Certificate Authority (CA) Certificate.
Select the CA Certificate from the dropdown menu
Select the Server Certificate you downloaded from the dropdown menu
Select Client Authentication. If you select Password they need to authenticate with a password. If you select Password + Certificate, the client must also have a certificate. This is more secure but adds to the cost of the VPN as they would need to purchase a separate CA.
Enter the Client Address Pool. Choose an IP address on a Network subnet that isn't used anywhere else in the company. You select out of the reserved ranges and choose a range not used anywhere else.
Choose the form of Encryption. Make sure the encryption is the same as the client. DES and 3DES are not recommended and should only be used for backwards compatibility.
Choose Full Tunnel Mode if you want all client traffic to go through the VPN or Split tunnel if you only want to specify which traffic goes through the VPN
The DNS1 IP address could be a dedicated internal DNS server, the same IP address of your default gateway provided by your Internet Service Provider (ISP), on a virtual machine, or a trusted DNS server out on the internet.
Click Apply to save the configuration.
Step 19 (Option 1). You can email this configuration to the client. Check the box Send Email. Enter an email address. Add a Subject title for the email. Click Generate.
Step 20. (Option 2). Select Export client configuration template (.ovpn) and click Generate.
Step 21. You will receive confirmation that is was successful. Click OK.
Step 22. Click Save.
Step 23. At the bottom right of your desktop and click to OpenVPN. Right click to open up dropdown menu. Click Import File.
Step 24. Select the OpenVPN file that ends in .ovpn.
Step 25.Click on the radio button Save File and click OK.
Step 26. Change the name of the file if you choose, but leave .ovpn at the end of the file name. Click Save.
Step 27. Navigate to Status and Statistics > VPN Status. You have the ability to scroll down for more detailed information.
The router is now configured with all the parameters necessary to support an OpenVPN Client connection for your personal trial.
OpenVPN Client Setup on Computer
Each OpenVPN client needs to perform the following tasks as a prerequisite:
Download the OpenVPN application on their device.
Open and save the configuration file that was sent in steps 19-22 in the previous section. The configuration file ends in .ovpn.
Note: This setup is specifically for Windows 10.
Step 1. Navigate to the arrow icon on the bottom right of the desktop and click to open the OpenVPN icon. Right click and select Import File.
Note: The icon is black and white, indicating that it is not currently running. Once it is running the icon will show in color.
Step 2. Click on the up arrow. Click on the OpenVPN icon. Right click and select Connect from the dropdown menu.
Step 3. Enter the Username and Password.
Step 4. The window will show the OpenVPN connecting along with some log data.
Step 5. A system log should alert that there is a connection.
Step 6. The VPN client should safely be able to tunnel incoming and outgoing information through OpenVPN. This can be set to automatically connect in the OpenVPN settings.
Step 7. The administrator can confirm the VPN Status by navigating to Status and Statistics > VPN Status on the router.
Conclusion
You should now have successfully installed OpenVPN on your RV160 or RV260 router and at the VPN client site.
For community discussions on OpenVPN, go to the Cisco Small Business Support Community page and do a search for OpenVPN.
... View more

Article ID:5878
Run Executive Reports on the Cisco FindIT Kaseya Plugin
Objective
Executive reports are different reports that are being generated from the devices on the FindIT Network Probes linked to the FindIT Network Manager. Running these reports is one of the two optional steps that you can perform in the process flow of getting started with using the plugin.
This feature can be used to view a high-level dashboard displaying a summary of device status. The view may be filtered based on Kaseya Organizations or Groups. The report includes status charts and graphs that represent the devices that meet the specific conditions. You may click through the links to remediate the condition, or to view more detailed information.
It is quite helpful to get detailed information about devices on a network to help identify devices with alerts, what needs to be upgraded, if any have reached end of support, or if any are out of warranty. Executive reports categorize the devices on the basis of their current status.
This article aims to show you how to run various executive reports on the Cisco FindIT Kaseya Plugin.
Applicable Devices
Cisco FindIT Network Manager
Cisco FindIT Network Probe
Software Version
1.1
Run Executive Reports
Step 1. Launch a web browser and enter the IP address of your Kaseya VSA server on the address bar and then hit Enter.
Note: In this example, the IP address used is 10.10.0.1
Step 2. Enter your Kaseya account login credentials in the Username and Password fields provided, and then click SIGN IN.
Note: In this example, kaseya is used as the Username.
Step 3. In the Navigation Panel, choose Cisco> Main >Executive Report.
On this page, the following information are displayed:
Device Count by Site This area displays the sites and the number of devices in each site.
Top 10 Devices with Critical Events associated This area displays the list of 10 devices in the network that have critical events detected into them.
Device Scheduled for "End Of Life" This area displays the number of Cisco devices in the network that have already been scheduled for cease of support.
Devices "Out of Warranty" This area displays the number of devices in the network that are no longer qualified to get free support from Cisco.
Devices with "Critical" Alerts This area displays the number of devices in the network that have alerts in Critical level associated with them.
Firmware Updates Available This area displays the number of devices in the network that have new firmware update available.
FindIT Reports This area displays the links that direct to the pages of the following reports:
Summary Shows the summary report of the FindIT Network Manager that displays the sites, devices, type, model, firmware update, current firmware being used, end of life status, and maintenance status of the sites.
End of Life Shows the end of life report of the FindIT Network Manager that displays the sites, product ID, devices, type, current firmware, dates, and so on.
Maintenance Shows the end maintenance report of the FindIT Network Manager that displays the sites, devices, type, model, serial number, status of the device, coverage and warranty end dates.
Step 4. (Optional) Click Resolve under Devices Scheduled for"End Of Life", Firmware Updates Available, and/or Devices with "Critical" Alerts to remediate the condition or click Details under Devices"Out of Warranty" to view more detailed information.
Step 5. Click on the Summary link under FindIT Reports to generate a summary report.
The page will then direct you to the FindIT Network Manager Summary Report page.
Step 6. Click on the End of Life link.
The page will then direct you to the FindIT Network Manager End of Life Report page.
Step 7. Click on the Maintenance link page.
The page will then direct you to the FindIT Network Manager Maintenance Report page.
You now have successfully run executive reports on the Cisco FindIT Kaseya Plugin.
... View more

Article ID:5877
Create Rule to Set Alert Levels on the Cisco FindIT Kaseya Plugin
Introduction
The Cisco FindIT Kaseya Plugin is a module that installs on the Kaseya Virtual System Administrator (VSA). It tightly integrates the Cisco FindIT Network Manager with the Kaseya VSA, allowing for centralized management of the network. The plugin allows access to the powerful management features of FindIT including action management, dashboards, device discovery, network topology, remote device management, actionable alerts, and event history.
The Alerts page in the Cisco FindIT Kaseya Plugin web-based utility allows you to create rules that use FindIT events as a trigger to generate standard Kaseya alerts.
In this scenario, a rule will be created to send out a Warning message for any events that would occur in all FindIT sites and devices to inform the user and take actions as necessary.
Objective
This article aims to show how to create a rule to set Alert levels on the Cisco FindIT Kaseya Plugin.
Applicable Devices
FindIT Network Manager
FindIT Network Probe
Software Version
1.1
Create Rule to Set Alert Levels
Step 1. Launch a web browser and enter the IP address of your Kaseya VSA server on the address bar and then click Enter.
Note: In this example, the IP address used is 10.10.0.1
Step 2. Enter your Kaseya account login credentials in the Username and Password fields provided, and then click SIGN IN.
Note: In this example, kaseya is used as the Username.
Step 3. Choose Cisco > Main > Alerts in the Navigation Panel.
Step 4. Under FindIT Alerts, click on the Create New Rule button.
The Create Rule page will then appear.
Step 5. In the Name field, enter the name that you want for the rule.
Note: In this example, Warning Level is entered.
Step 6. In the Description field, enter a description for the rule.
Note: In this example, Warning or higher is entered.
Step 7. Click on the Event Type drop-down menu in the For Events area to choose the type of event for the rule to apply.
Note: In this example, All is chosen. This means that the Warning alert will be sent out whenever an event occurs, regardless of its type.
Step 8. Click the Event Severity drop-down menu to choose the severity.
Note: In this example, Warning is chosen.
Step 9. (Optional) Check the Include higher check box if you want the rule to also apply when events occur that have higher severity than the one you have set.
Step 10. Click on the Device drop-down menu in the Matching devices area to choose the FindIT devices where the rule shall apply.
Note: In this example, All is chosen.
Step 11. Click on the Site drop-down menu to choose the FindIT site where you wish the rule to apply.
Note: In this example, All is chosen.
Step 12.Click on the Device Type drop-down menu to filter the FindIT devices where you wish the rule to apply depending on their type. In this example, All is chosen.
Note: The Raise action section is outside of the scope boundary as items correlate to functions outside of the plugin, thus, in Kaseya VSA itself.
Step 13. Click on the button. When settings have been saved, the table showing the newly configured rule will now be visible in the FindIT Alerts page.
You now have successfully created a rule to set the Alert levels on the Cisco FindIT Kaseya Plugin.
... View more

Article ID:5876
Configure Port Forwarding/Port Triggering on RV160 and RV260 Routers
Objective
Port forwarding and port triggering are features that allow some internet users to have access to specific resources on your network, while protecting the resources that you want to keep private.
Port forwarding allows public access to services on network devices on the Local Area Network (LAN) by opening a specific port or port range for a service, such as file transfer protocol (FTP). Port forwarding opens a port range for services such as internet gaming that uses alternate ports to communicate between the server and the LAN host.
Port triggering allows a specified port or port range to open for inbound traffic after user sends outbound traffic through the trigger port. Port triggering allows the device to monitor outgoing data for specific port numbers. The device recalls the IP address of the client that sent the matching data. When the requested data returns through the device, the data is sent to the proper client using the IP addressing and port mapping rules.
For more information on port forwarding and port triggering, click here.
The objective of this article is to show you how to configure port forwarding and port triggering on the RV160 and RV260 Routers.
Applicable Devices
RV160
RV260
Software Version
1.0.00.13
Configure Port Forwarding
To configure port forwarding, follow these steps:
Step 1. Log in to the web configuration utility. Enter the username and password for the router and click Login. The default username and password is cisco.
Note: In this article, we will be using the RV260 to configure port forwarding. The configuration may vary depending on the model you use.
Step 2. Click Firewall > Port Forwarding.
Step 3. In the Port Forwarding Table, click add icon or select the row and click edit icon) and configure the following:
Enable
Check Enable to enable port forwarding
External Service
Select an external service from the drop-down list. (If a service is not listed, you can add or modify the list by following the instructions in the Service Management section)
Internal Service
Select an internal service from the drop-down list. (If a service is not listed, you can add or modify the list by following the instructions in the Service Management section)
Internal IP Addresses
Enter the internal IP addresses of the server
Interfaces
Select the interface from the drop-down list, to apply port forwarding on
To add or edit an entry on the Service list, follow these steps:
Step 4. Click Service Management
Step 5. In the Service Management click Add icon or select a row and click Edit icon.
Configure the following:
Application Name - Name of the service or application.
Protocol - Required protocol. Refer to the documentation for the service that you are hosting.
Port Start/ICMP Type/IP Protocol - Range of port numbers reserved for this service.
Port End - Last number of the port reserved for this service.
To add a service, click on the plus icon and configure Name, Protocol, Port Start/ICMP Type/IP Protocol and Port End/ICMP Code.
To edit a service, select a row and click on the edit icon to configure the fields as shown below.
Note: In this example, FTP service is selected.
Step 6. Click Apply.
Step 7. In the Universal Plug and Play (UPnP) Port Forwarding Table, click the refresh icon to refresh the data. The port forwarding rules for UPnP are dynamically added by the UPnP application.
Configure Port Triggering
To configure port triggering, follow these steps:
Step 1. Log in to the web configuration utility. Enter the username and password for the router and click Login. The default username and password is cisco.
Note: In this article, we will be using the RV260 to configure port forwarding. The configuration may vary depending on the model you use.
Step 2. Click Firewall > Port Triggering.
Step 3. To add or edit a service to the port triggering table, configure the following:
Click add icon (or select the row and click edit icon and enter the information:
Enable
Check to enable port triggering
Application Name
Enter the name of the application
Trigger Service
Select a service from the drop-down list (If a service is not listed, you can add or modify the list by following the instructions in the Service Management section)
Incoming Service
Select a service from the drop-down list (If a service is not listed, you can add or modify the list by following the instructions in the Service Management section)
Interfaces
Select the interface from the drop-down list
Step 4. Click Service Management to add, or edit an entry on the Service list.
Step 5. In the Service Management, click add icon or select the row and click edit icon.
Configure the following:
Application Name - Name of the service or application.
Protocol - Required protocol. Refer to the documentation for the service that you are hosting.
Port Start/ICMP Type/IP Protocol - Range of port numbers reserved for this service.
Port End - Last number of the port reserved for this service.
To add a service, click on the plus icon and configure Name, Protocol, Port Start/ICMP Type/IP Protocol and Port End/ICMP Code.
To edit a service, select a row and click on the edit icon to configure the fields as shown below.
Note: In this example, FTP service is selected.
Step 6. Click Apply.
You should now have successfully configured port forwarding/port triggering on the RV160 and RV260 Routers.
... View more

Article ID:5867
Configure Session Timeout Settings on RV160 and RV260 Routers
Objective
The Session Timeout feature defines the amount of time that a particular session can remain idle before it is closed. This in turn also limits the possibility of having unwanted access to the network by logging out of the session when it has been idle.
Configuring the session timeout settings is also advantageous if you are conducting configurations that take some time, so you can set the set session timeouts to a much longer time. This helps avoid situations where in the administrator must re-do an entire configuration because a session timed out.
The objective of this article is to show you how to configure the session timeout settings on the RV160 and RV260 Routers.
Applicable Devices
RV160
RV260
Software Version
1.0.00.13
Configure Session Timeout
In the Session Timeout section, you can configure the session time-out and maximum concurrent connections for the Transmission Control Protocol (TCP)/User Datagram Protocol (UDP)/Internet Control Message Protocol (ICMP) flows.
TCP and UDP are transportation protocols which are some of the core protocols of the Internet protocol suite. Both TCP and UDP work at the transport layer of the TCP/IP model. TCP uses a three way handshake to establish the reliable connection whereas UDP is unreliable but faster when compared to TCP. ICMP is a network layer protocol used to report and notify errors and for network discovery.
The session timeout is the time it takes for the TCP/UDP/ICMP session to time out after a period of idleness. To configure the Session Timeout, follow these steps:
Step 1. Log in to the web configuration utility.
Note: In this article, we will be using the RV260 to configure Session Timeout. The configuration may vary depending on the model you are using.
Step 2. Click Firewall > Session Timeout.
Step 3. Enter the following:
TCP Session Timeout: Enter the timeout value in seconds for TCP sessions. Inactive TCP sessions are removed from the session table after this duration (Default 1800, Range 30 to 86400).
UDP Session Timeout: Enter the timeout value in seconds for UDP sessions. Inactive UDP sessions are removed from the session table after this duration (Default 30, Range 30 to 86400).
ICMP Session Timeout: Enter the timeout value in seconds for ICMP sessions. Inactive ICMP sessions are removed from the session table after this duration (Default 30, Range 15 to 60).
Maximum Concurrent Connections: Enter the maximum number of concurrent connections allowed (Default 25000, Range 10000 to 25000).
Current Connections: Displays the number of current connections.
Clear Connections: Click to clear the current connections.
Note: In the case of RV160, Default Maximum Concurrent Connections is 15000 and the Range is 10000 - 15000
Step 4. Click Apply
You should now have successfully configured the Session Timeout Settings on the RV160 and RV260 Routers.
... View more

Article ID:5875
DMZ Options for RV160/RV260 Routers
Objective
This document will cover the two options in setting up a Demilitarized Zone -DMZ host and DMZ subnet on RV160X/RV260X series routers.
Requirements
RV160X
RV260X
Introduction
A DMZ is a location on a network that is open to the internet while securing your local area network (LAN) behind a firewall. Separating the main network from either a single host or an entire sub-network, or "subnet" ensures that people visiting your website server via the DMZ, won't have access to your LAN. Cisco offers two methods of using DMZs in your network that both carry important distinctions in how they operate. Below are visual references highlight the difference between the two operating modes.
Host DMZ Topology
Note: When using a host DMZ, if the host is compromised by a bad-actor your internal LAN may be subject to further security intrusion.
Subnet DMZ Topology
DMZ Type
Compare
Contrast
Host
Segregates traffic
Single host, fully open to the internet
Subnet / Range
Segregates traffic
Multiple devices and types, fully open to the internet. Available only on RV260 hardware.
Regarding IP Addressing
This article makes use of IP addressing schemes that carry some nuance in their usage. In planning your DMZ you may consider using either a private or public IP address. A private IP address will be unique to you, only on your LAN. A public IP address will be unique to your organization and is assigned by your Internet Service Provider. To procure a public IP address you will need to contact your (ISP).
Configuring DMZ Host
The information required for this method includes the intended host's IP address. The IP address can be either public or private, but the public IP address should be in a different subnet than the WAN IP address. The DMZ Host option is available on both the RV160X and RV260X. Configure the DMZ Host following the steps below.
Step 1. After logging into your routing device, in the left-hand menu bar click Firewall > DMZ Host.
Step 2. Click the Enable checkbox.
Step 3. Enter the designated IP address of the host you wish to open up to WAN access.
Step 4. When satisfied with your addressing, click the apply button.
Note: If you're working with an RV160X series only and want to skip to the verification instructions,click here to move to that section of this document.
Configuring Hardware DMZ
Available to the RV260X series only, this method requires different IP addressing information based on the method you choose. Both methods indeed use subnetworks to define the zone, the difference being how much of the subnetwork is used to create the demilitarized zone. In this case, the options are - all or some. The Subnet (all) method requires the IP address of the DMZ itself, along with the subnet mask. This method occupies all of the IP addresses belonging to that subnetwork. Whereas the Range (some) method allows you to define a continuous range of IP addresses to be located within the DMZ.
Note: In either case you will need to work with your ISP to define the subnetwork's IP addressing scheme.
Step 1. After logging into your RV260X device, click WAN > Hardware DMZ
Note: The screenshots are taken from the RV260X user interface. Below is the screenshot of Hardware DMZ options that will be displayed on this page.
Step 2. Click the Enable (Change LAN8 to DMZ port) checkbox. This will convert the 8 th port on the router into a DMZ only "window" to services that require enhanced security.
Step 3. After clicking Enable an informational message displays below the selectable options. Review the details for points that may affect your network and click the OK, I agree with the above checkbox.
Step 4. The next step splits into two potential options, Subnet and Range. In our example below we've selected the Subnet method.
Note: If you intend to use the Range method, then you will need to click the Range radial button, then enter the range of IP addresses assigned by your ISP.
Step 6. Click Apply (in the upper right hand corner) to accept the DMZ settings.
Confirming the DMZ is setup properly
Verifying the DMZ is configured to appropriately accept traffic from sources outside of its zone, a ping test will suffice. First though, we'll stop by the administration interface to check the status of the DMZ.
Step 1. To verify your DMZ is configured, navigate to Status & Statistics, the page will load the System Summary page automatically. Port 8 or "Lan 8" will list the status of the DMZ as "Connected".
We can use the trusty ICMP ping feature to test if the DMZ is operating as expected. The ICMP message or just "ping", attempts to knock on the door of the DMZ. If the DMZ responds by saying "Hello" the ping is completed.
Step 2. To navigate your browser to the ping feature, click Administration > Diagnostic.
Step 3. Enter the IP address of the DMZ and click the Ping button.
If the ping is successful you will see a message like the above. If the ping fails, it means the DMZ is unable to be reached. Check your DMZ settings to ensure they are configured appropriately.
Conclusion
Now that you've completed the setup of the DMZ, you should be able to begin accessing the services from outside the LAN.
... View more

Article ID:5874
Beginner’s guide to Initial Setup on RV160X and RV260X Series Routers
Objective
The objective of this document is to review the available setup wizard for the RV160X/RV260X series routers. A wizard enables users to rapidly tour the major milestones of a given task.
Applicable Devices
RV160
RV160W
RV260
RV260W
Software Version
1.0.1.3
What’s new in these wizards if I’ve previously used Wizards on RV34X series routers?
Great question. If you’re familiar with previous hardware platforms then you’ll be familiar with what is in store for you here.
What’s different between the wireless and non-wireless variants?
Please note there are differences in the wizards depending on the hardware you have purchased. The indicator of ‘W’ at the end of the product ID indicates the presence of wireless radios. EX- RV260W.
Initial Setup Wizard
Important Note: The default local area network (LAN) IP address of the router is 192.168.1.1. To connect you may need to modify the network settings of the device you intend to access the router from. Click the following link to be taken to a how-to for Windows 10 users.
Please also note that if you have existing equipment occupying the 192.168.1.1 IP address, you'll need to resolve this conflict for the network to operate. More on this at the end of this article, or click here to be taken there directly.
Step 1. Click Initial Setup Wizard from the Getting Started Page.
Step 2. Review the information and ensure your device is connected to an internet connected device such as a modem. Then click Next.
Step 3. This step covers basic steps to make sure your router is connected, when you are certain your device is connected, click Next.
Step 4. The next screen displays your options for assigning IP addresses to your router. Depending on the complexity of your own network, you may choose one over the other. When decided, click your appropriate option and then click Next.
IP Address Assignment
Description
Dynamic IP Address, or DHCP (Recommended)
The simplest of all options, choose this to let your router automatically manage IP address assignment and maintenance.
Static IP Address *
The most custom solution, static IP addresses are created when precision is required.
PPPoE
Point-to-Point Protocol over Ethernet, primarily for DSL users, this method creates a connection between two remote points.
PPTP (Common in Europe)
Point to Point Protocol is an older method used for VPN traffic.
L2TP (Common in Europe)
Layer 2 Tunneling Protocol also an older method used for VPN traffic.
*If you select a static IP address and you have existing routing equipment, you will need to assign an IP address in a different subnet than the existing equipment.
Note: the above table is meant to provide a high level understanding, for further details click on the Learn more about the different connection types hyperlink toward the bottom of this screen.
Step 5. Next you will be prompted to set your router time settings. This is important because it enables precision when reviewing logs or troubleshooting events. Select your Time Zone and then click Next.
Step 6. Next, you will select what MAC address to assign to devices. Most users will use the default address, click Next to proceed.
Step 7. The following page is a summary of the selected options. Review and click Next if satisfied.
Step 8. For the next step, you will select a password to use when logging onto the router. The standard for passwords is to contain at least 8 characters both upper and lower case and including numbers. Enter the password that conforms with the strength requirements and then click Next.
Note: It is not recommended that you select Disable Password Strength Enforcement. This option would let you select a password as simple as 123, which would be as easy as 1-2-3 for malicious actors to crack.
If your device is not Wireless capable, you will be shown a summary screen that highlights the settings you’ve selected. After reviewing this screen, you would click the Save button.
Next Steps are Wireless only
Step 9. If you have a wireless 160/260, you will also need to create security key to gain access to the wireless local area network WLAN. Select WPA2 Personal – AES and then enter your password.
Step 10. Review the information on the wizard summary page and then either click Save to accept our click Back if you need to change a setting.
If you need to edit the IP address later
After completing the Initial Setup Wizard you can set a static IP address on the router by editing the VLAN settings. Skip re-running the initial setup wizard, to perform this change follow the steps below.
Step 1. In the left-hand menu-bar click the LAN button and then click VLAN Settings.
Step 2. Then select the VLAN that contains your routing device, then click the Edit button.
Step 3. Enter your desired static IP address and click Apply in the upper-right hand corner.
Step 4. (Optional) If your router is not the DHCP server/device assigning IP addresses, you can use the DHCP Relay feature to direct DHCP requests to a specific IP address. The IP address is likely to be the router connected to the WAN/Internet.
Conclusion
Great job, you’re now setup on your new routing device. We encourage you to continue learning about the methods of operating your network. With little effort you can begin implementing some very cool features that will help your organization standout. Some additional topics you may want to peruse include;
Troubleshooting on RV160 and RV260 Routers
Configuring Static Routing on the RV160 and RV260
Configuring Port Settings on the RV160 and RV260
... View more

Article ID:5858
How to Reboot and Reset to Factory Default Settings on RV160 and RV260 Routers
Objective
A reboot can be a very useful tool and for optimal performance, it should be done on a regular basis. A reboot is necessary to update the active image after you do a firmware or language upgrade. At times a reboot may be necessary to save configurations. It is a simple solution to try if the router is not working correctly or having connection issues.
At times a reset to factory default settings can be very helpful as well. There are times when the router may not be running correctly and the solution isn't obvious. Or perhaps you received a router that another person in the company used and you need to clear the configuration and start over.
The objective of this article is to explain how to reboot and reset to factory default settings on an RV160 or RV260 router.
Applicable Devices
RV160
RV260
Software Version
1.0.00.13
Log In to the Router
In your web browser, enter the IP address of the router. Enter the credentials. If you did a factory reset, or this is the first time you are entering credentials, the default IP address is 192.168.1.1 and the credentials are cisco for both the username and password.
Note: If you forgot the IP address of the router and you don't have a specific configuration that you need to keep, you can reset to factory defaults on the physical device. Open a paperclip and insert the end of it into the small recessed reset button. Hold for 10 seconds and you see should see the lights on the device light up. It will take at least a few minutes to boot back up. Your IP address will revert to 192.168.1.1.
Perform a Reboot
Navigate to Administration > Reboot. Select the radio button to reboot the device. Click Reboot. It will take a few minutes for the reboot to be complete. You can check the active image after reboot here to ensure you are running the latest version. If you are not sure if you have the most recent version, you should go to Cisco Support and check.
Return to Factory Default Settings after Reboot
When Return to Factory Default Settings after Reboot is performed, all configurations are lost and settings go back to default. If you have a complicated configuration you may want to back it up, but keep in mind, a mistake in your configuration may possibly be what is causing the issue in the first place.
Note: Default settings are generally the most common configurations and come preselected when you purchase the device.
Navigate to Administration > Reboot. Select the radio button to Return to factory default settings after reboot. Click Reboot. It will take a few minutes to perform this action.
Return to Factory Default Settings Including Certificates after Reboot
This action does everything a return to factory default settings after reboot does, but also removes certificates. You would want to do this if you have an expired or invalid certificate attached to your router.
Conclusion
You have now learned the steps for a reboot, return to factory default settings after reboot, and return to factory default settings including certificates after reboot. If these actions do not solve your issue, you can find more information on Troubleshooting on your RV160 or RV260 router here.
... View more

Article ID:5857
Troubleshooting on RV160 and RV260 Routers
Objective
Countless issues can come up in a network that can cause connectivity problems. This document will cover some of the areas to analyze when troubleshooting connectivity on an RV160 or RV260 router.
Applicable Devices
RV160
RV260
Software Version
1.0.00.13
Table of Contents
Check for Physical or Environmental Issues
Run Connectivity Tests from the Web-Based Utility
Explore Status and Statistics
Explore Firewall Settings
Troubleshooting Ideas
Check for Physical or Environmental Issues
This is the easiest way to troubleshoot but is often overlooked. Even though these may appear to be obvious, it is good to start with the basics.
Is there power to everything?
Is it all turned on?
Are the cables connected correctly?
Do you have a link light on consistently?
Could it be a bad cable?
Is the router overheated?
Could there be environmental factors such as where it is located?
If it is a wireless router is there is anything interfering with it such as a microwave, metal, or thick walls between the router and computer?
Run Connectivity Tests from the Web-Based Utility
The router must be able to communicate with other devices in the network and out across the internet in order to conduct business. There are a few ways to check for connectivity.
First, you may verify the IP address settings on the computer connected to the Local Area Network (LAN) port of the router. By default the DHCP feature is enabled on the router so you may keep your Network Interface Card (NIC) settings on your computer as "Obtain IP address automatically". This allows your computer to get an IP address from the router. Please verify the reachability to the router LAN using the ping command.
Log into your router directly and use the Graphical User Interface (GUI). In your web browser, enter the IP address of the router. Enter the credentials. If you did a factory reset, or this is the first time you are entering credentials, the default IP address is 192.168.1.1 and the credentials are cisco for both the Username and Password.
Note: If you forgot the IP address of the router and you don't have a specific configuration that you need to keep, you can reset to factory defaults on the physical device. Open a paperclip and insert the end of it into the small recessed reset button. Hold for 10 seconds and you see should see the lights on the device light up. It will take at least a few minutes to boot back up. Your IP address will revert to 192.168.1.1.
To get to the navigation pane, you click on the blue circle icon as shown below.
On the navigation pane, select Administration > Diagnostic. From here you can do a Ping, Traceroute to an IP Address, or perform a DNS Lookup.
To do a ping using the GUI, type in the IP address that should have the ability to communicate with your router and click Ping. You can enter the IP address of a different connected device within your network, or you can select a reliable one that you know outside of your network.
If your router is able to communicate with the IP address, packets will be returned along with statistics. The picture below shows a successful ping, therefore network connectivity is not the issue in this case.
To perform a trace on an IP you would click Traceroute. In the outcome of your traceroute, you will see "hops" from one router to the next. "Hop" 1 starts with your local router, then your Internet Service Provider (ISP) router. It then "hops" to the router on the edge of the network of the ISP, and across more routers to get to the destination. If the first two or three "hops" are successful, the problem is an issue outside of your network. Try another IP address or Domain Name to receive a successful traceroute.
To perform a Domain Name Service (DNS) Lookup you would type in an IP Address or Domain Name and click Lookup. If the DNS returns details about the IP Address or Domain Name, your Server is configured and connected.
Another option is to Reboot or do a Return to factory default settings after reboot. Keep in mind that if you choose Return to factory default settings, all configurations will be lost. This can sometimes fix the issue if something was changed from the default settings and caused the issue to occur. If you choose Return to factory default settings including certificates after reboot you will need to reload certificates.
Explore Status and Statistics
Explore each of the other Status and Statistics options on the navigation pane starting with System Summary.
System Summary shows your serial number, the amount of time that your router has been up for, the current time, port status, VPN status, and firewall status. It also lists the current firmware and language version. If either is not the latest version, you should go to Cisco Support and upgrade the firmware or language version. This could potentially solve your issue since upgrades often contain bug fixes.
Once you have upgraded the firmware image, you would need to activate that image and reboot, which will cause the older firmware image to be inactive.
Return to System Summary to ensure the firmware and language have been upgraded.
Check out Status and Statistics> Port Traffic for issues.
The Port Traffic page includes:
Port ID – port ID
Port Label – port label
Link Status – connection status on each port, if it is up or down
RX Packets - total number of packets received through the interface
RX Bytes – total bytes received
TX Packets – total number of packets transmitted
TX Bytes – total number of bytes transmitted
Packet Error – errors that occurred when sending or receiving packets
This section of the Port Traffic page, Port Status, includes:
Link Status - the port is connected or not connected
Port Activity - enabled or not
Speed Status - type of speed that port is using
Duplex Status - set to full or half. This may need to be adjusted if you are using older hardware that can only use half duplex you may have to change the settings to match.
Auto Negotiation - How two connected devices choose common transmission parameters, including the speed and flow control. It is recommended that this be enabled.
If you are using a wireless router, Wireless Traffic will be part of your Port Traffic page.
Check out Status and Statistics > View Logs to look for errors and missing connections.
There are several options of what to look through in View Logs. Logs are created often, so it may be hard to sort out the information you need without using the filtering feature.
These are some examples of Logs:
Explore Firewall Settings
Explore Firewall > Basic Settings to see if you have blocked anything that might be causing the problem.
Here is a standard configuration for Basic Settings. If you can't ping the Wide Area Network (WAN) of the router, this is where you can check to see if Block WAN Request is enabled. If you can't remotely access your web configuration page, the problem might be that you didn't enable Remote Web Management.
It may be possible that you have one or more of these enabled and that is causing the issue.
Explore Security Settings
Check the Security Settings for both Content Filtering and Web Filtering. It is possible you configured something there that is preventing network access.
Content Filtering enables you to restrict access to certain unwanted websites based on the domain names and keywords.
Web Filtering allows you to manage access to inappropriate websites. It can screen a client's web access request to determine whether to allow or deny that website.
Content Filtering can be checked to see if there is anything preventing network access. If you received a message that you were blocked from a specific page or employees report that a specific site is being blocked, this is the location to check that.
Web Filtering is one more place to see if that might be the issue.
If you would like more details on the navigation pane options, click on the question mark on the top right of your GUI screen.
Once you have selected the question mark, a new screen will open and an expandable section will appear that is in the same order as the navigation pane.
Once you click on one of the sections, a list of topics will expand beneath it. Select the area you want more information on and it will open up. In this example Firewall > Basic Settings was selected. There is also a search feature on the top right of the screen if you are not sure where to look for a certain question.
Conclusion
You now have some techniques for troubleshooting on your RV160 or RV260 router.
If you need further assistance, some helpful links are provided below:
Cisco Support and Downloads
Detailed information on RV160 VPN Routers
Detailed information on RV260 VPN Routers
Contact Cisco
Contact Cisco Small Business Technical Support
Create a case
... View more

Article ID:5865
Organization Mapping on the Cisco FindIT Kaseya Plugin
Introduction
Organization Mapping is a step that is required after the installation of the Cisco FindIT Kaseya Plugin in order to map FindIT Network Manager sites to Kaseya organizations or groups. This allows the administrator to easily manage devices and perform actions through the web-based utility of the Kaseya Virtual System Administrator (VSA).
In this scenario, one unmapped FindIT site named Local Probe is detected and is mapped to the kserver Kaseya Group.
Objective
This article aims to show you how to perform organization mapping on the Cisco FindIT Kaseya Plugin.
Applicable Devices
Cisco FindIT Network Manager
Cisco FindIT Network Probe
Software Version
1.1
Prerequisites
Before configuring Organizational Mapping, verify that the Plugin Settings are configured. This ensures that the connection between the plugin and the FindIT Manager can be established.
It also enables the FindIT sites to come up and appear on the list for mapping to Kaseya organizations.
To configure the plugin settings, follow the steps below:
Step 1. Launch a web browser and enter the IP address of your Kaseya VSA server on the address bar and then click Enter.
Note: In this example, the IP address used is 10.10.0.1
Step 2. Enter your Kaseya account login credentials in the Username and Password fields provided, and then click SIGN IN.
Note: In this example, kaseya is used as the Username.
Step 3. Choose Cisco > Main > Plugin Settings in the navigation pane.
Step 4. In the Plugin Settings window, enter the Username and Password of your FindIT Network Manager in their respective fields.
Step 5. Enter the IP address of your FindIT Network Manager in the field provided.
Note: In this example, 10.0.0.122 is used.
Step 6. Click the Test button to test the login credentials you entered and its connection to the FindIT Network Manager.
Step 7. Click on the Save button once the Credentials are correct! message appears.
Step 8. Click Done when the Credentials updated! message appears.
Organization Mapping
Step 9. In the Navigation Panel, choose Organization Mapping.
Note: The page will then display the sites that your FindIT Manager can see in the network in a table format. The tabs at the top of the table also show the following information:
Un-mapped shows the number of sites that are detected by the FindIT Manager but are not yet mapped to any Kaseya organization or group.
Mapped shows the number of sites that are mapped to a Kaseya organization or group.
Ignored shows the number of sites that are detected by the FindIT Manager but are just ignored for future mapping consideration to any Kaseya organization or group. You can move the site back to the Un-mapped tab by clicking Un-ignore.
All shows the total number of sites that are detected by the FindIT Manager regardless of their mapping status.
In this example, only one site named as Local Probe is displayed and is labeled as un-mapped.
Step 10. Click the dropdown menu under the Kaseya Org/Group to choose an appropriate organization or group. This would allow network devices to be filtered and searched by organization or group, and Kaseya functions will be properly associated to the correct organization.
Note: In this example, kserver is chosen.
Step 11. Scroll to the right to view and configure more items in this page. The following information is also displayed:
Kaseya Network Name – This is the network name obtained from the FindIT Network Probe site attached to the FindIT Network Manager that Kaseya was able to detect.
Kaseya Network Probe – This is a system on the network that has a Kaseya agent that can perform Kaseya Discovery.
Scan Recurrence – This specifies the frequency of the network scan depending on the configuration of Kaseya Network Probe. If Kaseya Network Probe is not configured, there is no need to configure this setting.
Scan Date – This specifies the date of the network scan based on the configuration of Kaseya Network Probe. If Kaseya Network Probe is not configured, there is no need to configure this setting.
Step 12. Scroll to the right and click the button.
You now have successfully mapped the Local Probe FindIT site to the kserver Kaseya organization.
Note: Clicking on the button removes the FindIT site from mapping consideration in the future. The site will then be placed in the Ignored tab.
... View more

Article ID:5864
Manage a Device via the Control Dashboard Page on the Cisco FindIT Kaseya Plugin
Introduction
The Cisco FindIT Kaseya Plugin is a module that installs on the Kaseya Virtual System Administrator (VSA). It tightly integrates the Cisco FindIT Network Manager with the Kaseya VSA, allowing for centralized management of the network. The plugin allows access to the powerful management features of FindIT including action management, dashboards, device discovery, network topology, remote device management, actionable alerts, and event history.
The Control / Dashboard page on the web-based utility is similar to the view of DISCOVERY - INVENTORY on the FindIT 1.1 Probe. You can select one or multiple sites of FindIT Network Probe and display all or filtered list of devices in the network along with their information and actions that can be taken. These actions, which can be scheduled, include updating the firmware, saving and backing up configurations, deleting a device, and rebooting.
Note: The image of the FindIT Control / Dashboard window below is wider than the screen. You need to scroll over to the right to see the entire screen of the Control / Dashboard.
In this scenario, the web-based utility of a specific device on the network needs to be accessed as well as the probe site where the device is associated.
Objective
This article aims to show you how to manage a device via the Control / Dashboard page on the Cisco FindIT Kaseya Plugin.
Applicable Devices
Cisco FindIT Network Manager
Cisco FindIT Network Probe
Software Version
1.1
Manage a Device via the Control / Dashboard Page
Step 1. Launch a web browser and enter the IP address of your Kaseya VSA server on the address bar and then click Enter.
Note: In this example, the IP address used is 10.10.0.1
Step 2. Enter your Kaseya account login credentials in the Username and Password fields provided, and then click SIGN IN.
Note: In this example, kaseya is used as the Username.
Step 3. Choose Cisco > Main > Control / Dashboard on the navigation pane.
Step 4. Click on the device type dropdown menu to filter the list of devices to the type of device you want to manage.
Note: In this example, Switch is chosen. This will filter the table view and only show all the switch devices in the network. In this table, all the information about the switch will be displayed such as its current status in the network, hostname, device type, IP address, exact model number, MAC address, Serial number, current firmware version, available firmware version if there is any, the FindIT network site where it belongs, and the actions that can be taken for the specific device.
Step 5. (Optional) Click on the FindIT site drop-down menu to filter devices in a specific FindIT site.
Note: In this example, the FindIT site named Local Probe is chosen.
Step 6. Check the check box before the device that you selected. You will then be able to do actions for the selected device such as accessing its web-based utility or the FindIT Probe site it belongs to. You can also update the firmware, save and back up configurations, delete, or reboot the device.
Note: In this example, SG350-28MP is checked.
Step 7. Click on the Hostname of the switch you have chosen to access its web-based utility.
You will then be redirected to the login page of the web-based utility of the switch.
Step 8. To access the probe that is managing the switch, go back to the Kaseya UI and click on the probe under Network.
Note: In this example, the device is under Local Probe.
You will then be taken to the web-based utility of the probe itself.
You now have successfully managed a device on the network by accessing its web-based utility and FindIT Probe site via the Control / Dashboard page.
... View more

Article ID:5862
How to Upgrade Firmware on 200/300 Series Switches
Objective
This article explains how to upgrade firmware for 200 and 300 series switches, but may contain helpful information for upgrading firmware on other devices as well.
Applicable Devices
200 Series Switches
300 Series Switches
Software Version
1.4.x.xx
Table of Contents
Why Should I Upgrade Firmware?
How do I Decipher File Names?
What if I Upgraded through HTTP and Received an Error Message?
How do I Upgrade a Boot File through a TFTP Server?
Why Should I Upgrade Firmware?
Upgrading firmware is essential for optimum performance on every device. It is very important to install upgrades when they are released. When Cisco releases a firmware upgrade, they often contain improvements such as new features or fix a bug that can cause a security vulnerability or an issue with performance.
Potential Questions when Upgrading Firmware
How do I Download an Image File?
In order to upgrade your device you need to download a file, often referred to as an image, to your computer, and then transfer it to the device.
Step 1. Go to https://www.cisco.com/c/en/us/support/index.html, and enter the name of the device that needs an upgrade under Downloads. A dropdown menu should appear. Scroll down and choose the specific model you own.
Step 2. Select a Software Type.
Step 3. Choose the firmware version you want to upgrade to for your device.
Note: If you have missed several upgrades, you may need to work your way up from the oldest to newest version. When the second number goes up, e.g. 1.2.1.1 to 1.3.1.1, those are generally the versions with the biggest upgrades.
Step 4. Click the arrow icon to download.
Step 5. Once you have selected the download, the Cisco's End User Software License Agreement may appear. Click to Accept License Agreement.
Step 6. If this screen opens, Click Save. Depending on your web browser, this may happen automatically. Most often, it is automatically saved in the Downloads folder.
Step 7. Log in to the web configuration page of your switch and navigate to Administration >File Management >Upgrade/Backup Firmware/Language
Step 8. The Upgrade/Backup Firmware/Language screen appears with via HTTP, Upgrade, and Firmware Image preselected. Click Choose File.
Step 9. Select Downloads and the appropriate file and click Open.
Only files that end in .ros can be used to upgrade firmware on the 200/300 series routers. If your only choice for a file ends in .zip and you don't know how to retrieve the .ros file, read the next section of this article How do I Decipher File Names?
Note: Other series of switches often use a .bin file instead of a .ros file.
Step 10. The file you opened will appear on the screen. Click Apply.
Step 11. This screen may appear. Click OK to confirm the upgrade. If you have a popup blocker, you would need to allow the popup for this to appear.
Step 12. Click Done.
Step 13. (Optional) If the Copy/Save Configuration page appears, you can leave the preselected choices or change them if you prefer. All the configurations that the switch is currently using are in the running configuration file which is not retained between reboots. In order to keep your configuration retained, you must save your running configuration to the startup configuration. If it doesn't appear, navigate to Administration > File Management > Copy/Save Configuration if you want to save your configuration file. Click Apply to save your running configuration to your startup configuration.
Step 14. Click Done.
Step 15. It is necessary to swap the firmware images to make the updated version active and the older firmware inactive. Navigate to Administration > File Management > Active Image and select the new version from the dropdown menu. Click Apply.
Step 16. To reboot, navigate to Administration > Reboot. The switch will then reboot to save the file upgrade.
Step 17. Select Immediate and click Reboot.
You have successfully completed a Firmware Upgrade on your device.
How do I Decipher File Names?
When you download a version to upgrade, the last three letters determine the purpose of that file.
In this example, the file ends in .ros. This is the firmware upgrade. You should be able to upgrade using HTTP and upload the Image file ending .ros for HTTP.
Note: Be sure to save all files that you download from https://www.cisco.com/c/en/us/support/index.html in the same folder, including the unzipped files. Most often these images are saved into the Downloads file.
If you see a file that is in a format ending in .zip, you must unzip that file. If you do not have an unzip program you will need to download one. There are several free options online. Once you have downloaded an unzip program, click Downloads and find the .zip file you need to unzip.
Right click on the name of the zip file, a screen similar to this will appear. Hover over the unzip software, and choose Extract Here. In this example, 7-Zip is used.
Note: If a file ends in .rfb, it is a boot file. You may see this file when you extract a zip file. At times, the boot file will need to be upgraded. This process will be detailed in the How do I Upgrade a Boot File Through a TFTPServer but most often you won't know you need to do this until you receive a specific error message, detailed in the following section.
What If I Upgraded through HTTP and Received an Error Message?
If you attempted to upgrade firmware through the HTTP server, you may have received this error message: SW Code File is Oversized. This requires you to upgrade the boot file using a Trivial File Transfer protocol (TFTP) server before you can do the firmware upgrade.
The boot file is what determines the order of the processes that occur when a computer boots up. It follows the instructions that are programmed onto the device. In some cases, updating the boot file allows the computer to be able to upgrade the firmware to the newer version.
TFTP is a simple protocol for transferring files. There are several free TFTP server options to download online. Once you have downloaded a TFTP server, follow the directions in the next section.
Note: This has been known to happen when upgrading from version 1.3 to 1.4.
How do I Upgrade a Boot File through a TFTP Server?
Once you have downloaded the file you want to apply to your device, take a note regarding the folder where the file is located. The Downloads folder is the most common location for downloads. Be sure to save all files in the same location and unzip a file if it has not been unzipped.
Step 1. Open a TFTP server. This is the tool you will be using, through your computer, to upgrade the file. In the Windows platform, go to the search bar on the bottom left next to the Windows icon and search for the TFTP server that you have downloaded and select it.
Note: To avoid potential conflicts, only download one TFTP server.
Step 2. Choose the IP address from the dropdown menu in the Server Interface field. It should be the address of your computer since the server is running through your computer. This example shows the Intel(R) Ethernet Connection was chosen, as the laptop is connected via Ethernet to the device. Then click Browse.
Note: The Server Interface may vary depending on your configuration.
Step 3. Once you click on Browse, a new window will appear. Select the folder that contains all unzipped files for this upgrade and click OK.
Step 4. To double check that the directory contains all necessary files, you can click Show Dir on the TFTP server.
Step 5. Scroll through the images to ensure they are all in the TFTP directory.
Step 6. Now that you have a TFTP server open and you are connected to your switch, choose the following from the navigation pane of your switch. Administration > File Management > Upgrade/Backup Firmware/Language
Note: Most devices have a similar navigation page.
Step 7. Select the following options: via TFTP, Upgrade,Boot Code, By IP address, and Version 4. Then enter the IP address of your TFTP server and type in the file name that needs to be upgraded. Click Apply to upgrade.
Note: The boot file has the word boot in it.
Step 8. Once the file has been upgraded you may receive a message to reboot your device. Click Done and your switch may automatically reboot.
Step 9. If your switch doesn't automatically reboot, navigate to Administration > Reboot. The switch will then reboot to save the file upgrade.
Step 10. Select Immediate and click Reboot.
Step 11. You may receive a warning similar to this. Click OK. If you have a popup blocker, you would need to allow the popup for this to appear.
Step 12. Once the device has been rebooted, you can confirm that the boot version has been upgraded. Navigate to Statics and Statistics > System Summary.
At this point you will need to upgrade the firmware version through HTTP, as explained in the section How do I Download an Image. You may begin on step 7 in that section, since you will be using image files you previously downloaded.
Step 13. Once that is complete you can confirm that the latest firmware and boot version have been installed. Navigate to Statics and Statistics > System Summary
Companion articles for upgrading firmware can be accessed below:
Firmware Upgrade via HTTP/HTTPS on 200/300 Series Managed Switches
Firmware Upgrade via TFTP on 200/300 Series Managed Switches
Firmware Upgrade Guides for Cisco Small Business Products
... View more

Article ID:5866
AnyConnect VPN: Going from Smart License to VPN Connection
Objective
The objective of this resource guide is to highlight the start to finish steps of creating a smart account and then setting up a VPN. This guide will link out to the associated how-to guides which will provide deeper explanations of the levers at play. The below steps within the arrows indicate the different milestones within this document. Each section will contain additional details and notes about best practices.
Requirements
Hardware (At least one)
RV340
RV340W
RV345
RV345P
Software
Firmware version 1.0.01.18
An active Smart License account
AnyConnect Server + Client software
Before we dive in
If you run into any issues while configuring your Smart License account or VPN- rest easy, we're here for you! Our support team will help sort out potential issues and can be reached through multiple methods. Please feel free to use your preferred method reach out.
Router Community: Click Here
FAQ about RV34X series: Click Here
Smart License Overview: Click Here
FAQ about Smart Licenses: Click Here
Submit a case: Click Here
Support Phone Number:1 866 606 1866
Creating a Smart License Account
If you've created or visited your Cisco.com account recently, you're greeted by a message urging you to create your own Smart License account.
If not, click here to be taken to the Smart License account creation page, you may need to log in. For additional detail on the steps involved in requesting your Smart Account, click here.
Creating a Smart License account is required to establish authority - of you the user - to represent your organization in respect to license management. In other words, we need to make sure the person managing the licenses is the appropriate person responsible. That will likely be most of you readers.
Purchase Smart Licenses
Smart licenses are available separately for both the AnyConnect client and AnyConnect server. Each license purchased includes bundles of 25 each. Most users will need to purchase both a client and server bundle to furnish the VPN functionality to their network.
When you purchase a smart license for a router or AnyConnect licenses, the vendor needs to enact a process which moves the unique license ID to your Smart License account. The below is a table of the necessary information that will be asked for when purchasing the bundles.
Information Required
Locating the information
Cisco.com User ID
Located in your account profile, or you can click here.
Smart License account name
It is best to have created you smart account prior to purchasing the license bundles.* Created in Step 8 of the Smart License account creation guide.
Smart License SKU
The product identification code for the routing device.
EX: RV340-K9-NA
What if I've purchased the license but it doesn't appear in my account?
If you've purchased a license but it is not appearing in your virtual account, you have two options.
Follow up with the reseller to request they make the transfer.
Reach out to us and we'll get in touch with the reseller.
Ideally you wouldn't have to do either but if you arrive at this crossroad, we're happy to help! To make the process as expedient as possible, you will need the credentials in the table above as well as those outlined below.
Information Required
Locating the information
License Invoice
This should be emailed to you after completing the purchase of the licenses.
Cisco Sales Order number
You may need to go back to the reseller to get this.
Screenshot of your Smart Account license page
Taking a screenshot captures the contents of your screen for sharing with our team. If you're unfamiliar with screenshots you can use the below methods.
Screenshots
Taking a screenshot is a method of capturing an image of the contents of your screen. It provides a 'user's POV'. The steps involved vary whether you are using a Windows or Mac OS. Mobile devices also have built in functions for easily creating screenshots. First up though you'll need to navigate to the appropriate screen to share with our team.
Navigate to your Smart License account page, then click Smart Software License page > Inventory tab > Licenses sub-tab
Given the differences in procedure to capture a screenshot, see below for links specific to your operating system.
Windows: See this article
Mac: See this article
iPhone/iPad: See this article
Android: See this article
Generate Token
The registration token joins your routing device to your virtual account, acting like a key in unlocking your device's smart license functionality.
Step 1. To generate a token, navigate to your Smart Software License account.
Step 2. Then click Inventory > General tab, once this screen loads on the page click on the New Token button.
Step 3. Add a Description and define how long the Token should be valid, then click Create Token.
Note: For most use cases, the default 30 days will be sufficient.
Step 4. Once the token is generated, click the token link button to the right of your recently created token. This will open the full token for you to copy to your clipboard.
Step 5. Highlight the token, right click the token and then click Copy.
Assigning the Token to your Device(s)
After creating your token, you will need to log into the device and upload the token key.
Step 1. Once logged into the device, click Administration > License.
By reviewing the Registration Status field the device is identified as registered or unregistered. If your device is listed as Unregistered, your License Authorization Status will be listed as Evaluation Mode, which grants you 90 days to register the license. The below screenshot displays the License page.
Step 2. Click Register.
Step 3. Right click inside the token well, when the context menu displays then click Paste.
Step 4. Click Register.
Note: The registration process may take some time, please wait for it to finish.
Step 5. Once the token is registered, you will need to allocate the license. Click Choose Licenses to pair your AnyConnectVPN license.
Step 6. The Choose Smart Licenses page will display, click Save and Authorize to complete the process.
Once the license has been associated with your device, you can download the AnyConnect VPN clients from Software.Cisco.com.
Creating a VPN
There are two primary steps in creating a VPN, configuring your router to recognize the traffic and then enabling endpoints to send that traffic. To complete the first step and setup AnyConnect on your RV34X series router, click here.
The second step in making full use of AnyConnect, you'll need to enable clients. Below are two options for installing AnyConnect clients on either a Windows or Mac based computer.
Mac - Install Cisco AnyConnect Secure Mobility Client on a Mac Computer
Windows - Install Cisco AnyConnect Secure Mobility Client on a Windows Computer
If you're new to AnyConnect or having issues in getting up and running, check out these additional Resources -
Get to Know the Cisco AnyConnect Secure Mobility Client
Gather Information for Basic Troubleshooting on Cisco AnyConnect Secure Mobility Client Errors
... View more

Article ID:5863
Get to Know: FindIT Probe
Introduction
Once initial setup of FindIT Network Manager is complete, making use of its 'the built-in probe' feature unlocks the full potential of the web application. Similar to the first time setting up a mobile or computing device, the completion of setup opens up into a wealth of open-ended options, which can make it difficult to know where to begin. This guide assumes you've just completed initial setup and provides you with impactful next steps to take your FindIT implementation from day one to the next. Through the remainder of this article we'll answer the following question - "Ok, now that FindIT is setup, what's next?"
To answer that question, recognize that completing the setup of FindIT is scratching the surface of what FindIT is capable of offering. This guide is intended to provide the best practices for unlocking the potential of the web-app to ensure maximum uptime, reliability, and speed to your users.
Managing Your Dashboard
Available Widgets & Their Uses
Customizing Widgets
Customizing Widget Layout
Managing Notifications
Adding Cisco Active Advisor
Adding Email for Notifications
Creating Day One Backups
If you have not yet completed setup of FindIT on your network, do so before proceeding. For the purposes of this guide we've setup an internal lab. Your screens may vary visually due to different devices and network activity of a production environment. In our lab we'll be using the following devices:
WAP 551
WAP 571E
WAP 581
SF550-X-48MP
SG550X-24
SG500X-24MPP
SG200-26P
SG350X-8PMD
IP Phone
With a network topology:
Managing Your Dashboard
FindIT is designed to enable network administration by leveraging SNMP functionality into a two distinct user interfaces. The FindIT Manager enables the configuration of multiple networks, each containing a FindIT Probe. The probe in turn, enables typical management functions available to the devices.
Remotely monitoring network performance via FindIT opens up the opportunity to leverage those abstracted features to elevate best practices within your organization. The monitoring process can be enhanced by actively managing your FindIT dashboard.
Available Widgets and Their Uses
The FindIT Probe Dashboard displays a series of user selected widgets that communicate a range of information in chart or graph form. The information contained in the widgets are polled & presented in real time, or as network related activity occurs. The list of available widgets include:
Widget
Purpose
Device Health
Displays each networking device along with the present state of the device. The color of the icon indicates the need for attention and includes:
Green = Information , Yellow = Warning , Red = Alert
Clicking on entries in the table of this widget provides additional details about the device status, updated every five minutes. At a minimum, the additional information displayed upon click will include Total Uptime, CPU Utilization, and Notifications.
Note: Further information included depends on the device type and can include Service Set Identifier (SSID), Rogue Apps (unverified software connected to the network), and Associated Clients.
Wireless Top Ten
Lists the top trafficked wireless devices on your network, sortable by traffic or client count. Wireless device types include: Access Points, Wireless Networks, and Wireless Clients.
When sorting by wireless device type, the widget displays the incoming traffic, outgoing traffic, and the total usage.
Note: You can view additional information on the traffic by placing your cursor over the chart.
When sorting by Clients, the table will display the devices and their corresponding client count.
Device Client Count
Contains a list of clients by device that have joined your network.
Network Client Count
(Wireless devices only) Contains a count of clients connected to wireless devices.
Traffic
The traffic widget displays incoming and outgoing network traffic sortable by Device, Port, and Time Period.
Customizing the Widgets & Dashboard
The FindIT Dashboard is customizable both in its use of Widgets, and or, in how the widgets are displayed across screen sizes. To customize the widgets on your Dashboard, use the following steps:
Step 1. After logging into the FindIT Probe, click on the Dashboard button contained in the navigation pane on the left of the screen.
Step 2. Click on the Edit button located in the upper right corner of the screen.
Note: A visual indicator that you've entered Edit mode includes the addition of icons, before & after example below:
The legend of icons used in the Dashboard is below:
Icon
Meaning
Click and hold to drag the widget to a different location on your Dashboard.
Minimizes the size of the widget to a slot-like size.
Maximizes the size of the widget to occupy as much space as available, allowing you to view data in more granular detail.
Widget settings enabling you to edit the title of the widget or modify the interval of chart updates.
Removes the widget from the Dashboard.
Pro tip: You can setup the same widget multiple times and reporting on different devices (or ports)- within a single Dashboard. The animation below displays setting up the Traffic widget for the same device, but monitoring different ports.
Note: Be sure to click Save Widgets when satisfied with the layout of your Dashboard.
Step 3. (Optional) Adjust the position by clicking & dragging the widget to your desired location.
Step 4. Once, you are satisfied with the locations of your widgets, click the Save icon.
Customizing the Widget Layout
In addition to managing the location of the widgets, you are able to select the Dashboard Layout from a pre-populated list of styles. FindIT includes six themes that react to screen size of the device accessing FindIT, from Small - Large the layout will react to the device. Please note that FindIT does not yet support mobile devices.
Step 1. From Edit Mode Layout (As pictured above in step 3) click on the settings icon.
Step 2. Select your preferred layout (ignore the numeric notation in this screen).
Note: This overlay window contains the widget grid aligned from Middle, Large then Small.
Managing Notifications
FindIT delivers notifications both to the FindIT user interface as well as to a specified email address via SMTP (Simple Mail Transport Protocol). In this section, we will review what kinds of notifications FindIT delivers and how to manage them to provide you with network critical alerts. To ensure you receive only up to date information, some notification types will clear themselves automatically. As stated previously, the notifications arrive in 3 different categories:
Color
Meaning
Examples
Green
Information
Device additions, Firmware update available
Yellow
Warning
Device health, Authentication errors, Disabled SNMP (Simple Network Management Protocol)
Red
Alert
Device no longer available
Prior to setting up the email for notifications, you should first decide which type of notifications to receive email, versus being notified in the user interface of FindIT. To do this, perform the following steps:
Step 1. From any screen of the FindIT Probe User Interface (UI), click on the Notification icon.
Step 2. This will deliver you to the notifications screen. Once the page has loaded, click on the Settings tab.
Step 3. From this screen you are able to check off the boxes that deliver via the noted method. Popup Notifications will be delivered to the UI, while Email checked items will have their status sent to the designated email address. When you've selected which notifications you'd like to receive click Save. In a later section you will configure the email settings.
Note: It would be considered a best practice to monitor the status of your edge router or WAN facing device.
Device based notifications are defined below:
Device Notification
Purpose
Reachability
Notifies when a device has become unreachable or when it was established contact with the FindIT probe.
Credential / SNMP
SNMP has encountered an authentication error while establishing contact with the probe.
Credential / User ID
Authentication has failed due to the user credentials used.
Device Service / SNMP
The device is unreachable due to SNMP being inactive on this device.
Device Service / Web Service
The web service is presently disabled.
Health
Displays each networking device along with the present state of the device. The color of the icon indicates the need for attention and include:
Green = Information , Yellow = Warning , Red = Alert
There is a secondary category of notifications that are specific to Cisco services. Cisco Active Advisor will dynamically provide you with information on the following:
Cisco Support Notification
Purpose
Firmware
The latest Firmware is available for this device.
EOX
The device is approaching ... End of Life or End of Sale
Maintenance
Both the maintenance service and/or warranty have expired for this device.
Adding CAA Credentials
If you would like to setup Cisco Active Advisor, follow these steps:
Step 1. Within the navigation pane of the FindIT Probe click on Administration>CAA Credential
Note: You will need to have signed up for a Cisco.com address, if you do not have one, create one by clicking this link and then filling out the information requested.
Step 2. Login to CAA with your cisco credentialed email address.
Step 3. On the FindIT Probe, click on the Discovery button from the navigation pane on the left of the screen. Then click on Actions, and click on Upload to CAA.
Step 4. After this process is complete, click Actions again and then click Upgrade Firmware. FindIT will then intelligently upgrade devices, without severing communications with critical device interconnects while devices update. This process may take many minutes depending on how many devices are on your network.
Add Email Account for Notifications
This section is located later in this document in order to prevent your email from receiving unwanted notification types setup in the section titled Managing Notifications. To setup emailing of notifications, you will need the following pieces of information:
Mail server URL (Ex - smtp.google.com)
Associated SMTP port number (Ex - 25, 443)
Login credentials associated with your email service
Destination email address
Step 1. On the FindIT Probe, click on Administration in the left-hand navigation pane, then click on Email Settings.
Step 2. Enter the information outlined prior to Step 1, when that is done, click Test Connectivity. This will send a test email to the destination email address and will provide you an idea of the format to expect in future email notifications.
Now your email relay is setup to deliver notifications to your email address of choice. For a more in-depth look at configuring email address settings, click here.
Creating Backup & Restore
The last steps in setting up your FindIT next steps implementation is saving the device's running configurations to their startup configurations. Finally, creating backups of your network's settings. There are two backups that should be executed. You need to save the running configuration of your network's devices, as well as backups of the startup configurations.
Step 1. Navigate to the Discovery page and click on Actions, then click on Save Running Configurations. This will save the presently running configurations of your devices to the startup configuration. Retaining settings upon reboot of the devices.
Note: SNMP must be enabled on all applicable devices to have them included in this section's operations.
Step 2. Once the running configurations have been saved to the startup configurations, you'll receive a notification. Click Actions and this time select Backup Configurations. It is a best practice to leave yourself a descriptive note e.g. -Post-setup clean backup of network configuration-
Note: This will create a copy local to the FindIT Probe hardware that you can later access by clicking on Administration and then Backup & Restore.
Step 3. If you would like to download an archive of the backup files, click Administration > Backup & Restore.
Step 4. Enter the password you used to log into the FindIT Probe and then click Backup & Download.
Step 5. This will initiate the download prompt from your browser. Select the save location for your archive and save the file.
Note: If you didn't receive this prompt, the browser may have saved the archive to the Download folder of your device.
Congratulations, you are now prepared to monitor and resolve issues relating to the health of your network. To take your network even further, check out these articles:
Cisco FindIT Network Management Frequently Asked Questions
Configure Switch Ports from Port Management Using the Cisco FindIT Network Probe
Manage Device Groups on FindIT Network Probe
... View more

Article ID:5861
Configuring Auto Voice VLAN Settings on a Switch through the CLI
Introduction
The Voice Virtual Local Area Network (VLAN) is used when traffic from Voice over Internet Protocol (VoIP) equipment is assigned to a specific VLAN that is made up of voice devices such as IP phones, Voice over Internet Protocol (VoIP) endpoints, and voice systems. The switch can automatically detect and add port members to the Voice VLAN, and assign the configured Quality of Service (QoS) to packets from the Voice VLAN. If the voice devices are in different Voice VLANs, IP routers are needed to provide communication.
The Voice VLAN feature permits the switch ports to carry voice traffic with Layer 3 IP precedence and Layer 2 class of service (CoS) values from an IP phone. Based on IEEE 802.1p CoS, the switch supports QoS which uses classification and scheduling to send network traffic from the switch. You can configure the Cisco IP phone to forward traffic with an IEEE 802.1p priority, and configure the switch to trust or override the traffic priority assigned by an IP phone.
Configuring Voice VLANs ensures that the VoIP devices will not have to contend directly with the broadcasts, data, and other traffic from other VLANs which could cause delays when delivering the traffic. Voice VLANs generally make the network configuration simple by marking the packets for QoS and which are assigned higher priority.
In the scenario below, the ports on the switch that are connected to the IP Phones are configured with Voice VLAN settings.
The switch supports two dynamic Voice VLAN modes: Telephony Organization Unique Identifier (OUI) mode and Auto Voice VLAN mode. The two modes affect how Voice VLAN and/or Voice VLAN port memberships are configured. The two modes are mutually exclusive to each other.
Telephony OUI — In Telephony OUI mode, the Voice VLAN must be a manually-configured VLAN, and cannot be the default VLAN. When the device is in Telephony OUI mode and a port is manually configured as a candidate to join the Voice VLAN, the device dynamically adds the port to the Voice VLAN if it receives a packet with a source MAC address matching to one of the configured telephony OUIs. An OUI is the first three bytes of an Ethernet MAC address. To configure the Voice VLAN Telephony OUI settings on your switch through the CLI, click here.
Auto Voice VLAN — In Auto Voice VLAN mode, the Voice VLAN can be either the default Voice VLAN, manually configured, or learned from external devices such as UC3xx or UC5xx, and from switches that advertise Voice VLAN in Cisco Discovery Protocol (CDP) or Voice VLAN Discovery Protocol (VSDP). VSDP is a Cisco-defined protocol for voice service discovery. Unlike Telephony OUI mode that detects voice devices based on telephony OUI, Auto Voice VLAN mode depends on Auto Smartport to dynamically add the ports to the Voice VLAN. If enabled, Auto Smartport adds a port to the Voice VLAN if it detects an attaching device to the port that advertises itself as a phone or media end points through CDP and/or LLDP-MED.
Voice VLAN Triggers
When the Dynamic Voice VLAN mode is Auto Voice VLAN, Auto Voice VLAN becomes operational only if one or more triggers occur. Possible triggers are static voice VLAN configuration, voice VLAN information received in neighbor CDP advertisement, and voice VLAN information received in the VSDP. If desired, you can activate Auto Voice VLAN immediately without waiting for a trigger.
When Auto Smartport is enabled, depending on Auto Voice VLAN mode, Auto Smartport is enabled when Auto Voice VLAN becomes operational. If desired, you can make Auto Smartport independent of Auto Voice VLAN.
Note: The defaults and the voice VLAN triggers are designed to have no effect on installations without a voice VLAN or on switches that have already been configured. You can manually disable and enable Auto Voice VLAN and/or Auto Smartport to fit your deployment if needed.
Auto Voice VLAN
Auto Voice VLAN is responsible in maintaining the voice VLAN, but depends on Auto Smartport to maintain the voice VLAN port memberships. Auto Voice VLAN performs the following functions when it is in operation:
It discovers voice VLAN information in CDP advertisements from directly connected neighbor devices.
If multiple neighbor switches and/or routers, such as Cisco Unified Communication (UC) devices, are advertising their voice VLAN, the voice VLAN from the device with the lowest MAC address is used.
Note: If connecting the device to a Cisco UC device, you may need to configure the port on the UC device using the switchport voice vlan command to ensure the UC device advertises its voice VLAN in CDP at the port.
It synchronizes the voice VLAN-related parameters with other Auto Voice VLAN-enabled switches, using VSDP. The device always configures itself with the voice VLAN from the highest priority source it is aware of. The priority is based on the source type and MAC address of the source providing the voice VLAN information. Source type priority from high to low are static VLAN configuration, CDP advertisement, and default configuration based on changed default VLAN, and default voice VLAN. A numeric low MAC address is of higher priority than a numeric high MAC address.
It maintains the voice VLAN until a new voice VLAN from a higher priority source is discovered or until the Auto Voice VLAN is restarted by the user. When restarted, the device resets the voice VLAN to the default voice VLAN and restarts the Auto Voice VLAN discovery.
When a new voice VLAN is configured or discovered, the device automatically creates it, and replaces all the port memberships of the existing voice VLAN to the new voice VLAN. This may interrupt or terminate existing voice sessions, which is expected when network topology is altered.
Note: The device can synchronize with VSDP-capable switches in the same management VLAN and in the directly connected IP subnets configured at the device.
Auto Smartport works with CDP and/or LLDP to maintain the port memberships of the voice VLAN when voice end-points are detected from the ports:
When CDP and LLDP are enabled, the device sends out CDP and LLDP packets periodically to advertise the voice VLAN to the voice endpoints to use.
When a device attaching to a port advertises itself as a voice endpoint through CDP and/or LLDP, the Auto Smartport automatically adds the port to the voice VLAN by applying the corresponding Smartport macro to the port (if there are no other devices from the port advertising a conflicting or superior capability). If a device advertises itself as a phone, the default Smartport macro is phone. If a device advertises itself as a phone and host or phone and bridge, the default Smartport macro is IP Phone + Desktop.
Voice VLAN QoS
Voice VLAN can propagate the CoS/802.1p and Differentiated Services Code Point (DSCP) settings by using Link Layer Discovery Protocol-Media Endpoint Discovery (LLDP-MED) Network policies. The LLDP-MED is set by default to response with the Voice QoS setting if an appliance sends LLDP-MED packets. MED-supported devices must send their voice traffic with the same CoS/802.1p and DSCP values, as received with the LLDP-MED response.
You can disable the automatic update between Voice VLAN and LLDP-MED and use your own network policies.
Working with the OUI mode, the device can additionally configure the mapping and remarking (CoS/802.1p) of the voice traffic based on the OUI.
By default, all interfaces are CoS/802.1p trusted. The device applies the quality of service based on the CoS/802.1p value found in the voice stream. In Auto Voice VLAN, you can override the value of the voice streams using advanced QoS. For Telephony OUI voice streams, you can override the quality of service and optionally remark the 802.1p of the voice streams by specifying the desired CoS/802.1p values and using the remarking option under Telephony OUI.
Voice VLAN Constraints
The following constraints exist:
Only one Voice VLAN is supported.
A VLAN that is defined as a Voice VLAN cannot be removed.
Objective
To manually configure the Auto Voice VLAN settings on your switch, follow this workflow:
Create a VLAN. For instructions on how to create VLANs using the Command Line Interface (CLI), click here.
Configure Voice VLAN properties.
Configure Dynamic Auto Voice VLAN Settings.
(Optional) Configure LLDP or CDP settings. To configure LLDP using the CLI-based instructions, click here. To configure CDP settings, click here.
Configure Smartports settings. For instructions, click here.
Note: By default, CDP, LLDP, LLDP-MED, auto Smartport mode, and basic QoS with trusted DSCP are all enabled. All ports are members of default VLAN 1, which is the default Voice VLAN.
This article provides instructions on how to configure Voice VLAN Properties on a switch through the Command Line Interface (CLI).
Note: In this scenario, a switch with pre-configured Voice VLAN Telephony OUI settings is being configured with Auto Voice VLAN settings.
Applicable Devices
Sx350 Series
SG350X Series
Sx500 Series
Sx550X Series
Software Version
2.3.0.130
Configure Auto Voice VLAN Properties
Display Voice VLAN Settings
Step 1. To display the voice vlan local information about the Voice VLAN local configuration, enter the following:
SG350X#show voice vlan local
Note: In this example, the current Voice VLAN type is Telephony OUI.
Step 2. (Optional) To display the Voice VLAN status for all interfaces or for a specific interface if the Voice VLAN type is OUI, enter the following:
The options are:
type oui — Common and OUI-voice-VLAN specific parameters are displayed.
interface-id — (Optional) Specifies an Ethernet port ID.
detailed — (Optional) Displays information for non-present ports in addition to present ports.
SG350X#show voice vlan type oui [interface-id | detailed]
Note: In this example, the information on the OUI-enabled Voice VLAN is displayed.
You should now have successfully displayed the current Voice VLAN settings on your switch through the CLI.
Configure Voice VLAN Properties
The default VLAN of the switch is VLAN 1 which cannot act as the Voice VLAN. However, if there is no other configured VLAN, VLAN 1 can be assigned to Voice VLAN.
Note: To know how to configure VLAN settings on your switch through the CLI, click here for instructions.
Step 1. Log in to the switch console. The default username and password is cisco/cisco. If you have configured a new username or password, enter the credentials instead.
Note: To learn how to access an SMB switch CLI through SSH or Telnet, click here.
Note: The commands may vary depending on the exact model of your switch. In this example, the SG350X switch is accessed through Telnet.
Step 2. From the Privileged EXEC mode of the switch, enter the Global Configuration mode by entering the following:
SG350X#configure
Step 3. In the Global Configuration mode, enter the Interface Configuration context by entering the following:
SG350X(config)#voice vlan id [vlan-id]
vlan-id — Specifies the Voice VLAN. The range is from one up to 4094.
Note: In this example, Voice VLAN 40 is being configured.
Step 4. Press Y on your keyboard to continue.
Step 5. To specify a value of VPT (802.1p VLAN priority tag) that will be advertised by LLDP in the Network Policy TLV, enter the following:
SG350X(config)#voice vlan vpt [vpt-value]
vpt-value — The VPT value to be advertised (range 0-7).
Step 6. Press Y on your keyboard to continue.
Step 7. To specify a value of DSCP that will be advertised by LLDP in the Network Policy TLV, enter the following:
SG350X(config)#voice vlan dscp [dscp-value]
Step 8. Press Y on your keyboard to continue.
Configure Dynamic Auto Voice VLAN Settings
Manually re-configuring the voice VLAN ID, CoS/802.1p, and/or DSCP from their default values results in a static voice VLAN, which has higher priority than auto voice VLAN that was learned from external sources.
Note: If the device is currently in Telephony OUI mode, you must disable it before you can configure Auto Voice VLAN.
Step 9. To change the administrative state from OUI-enabled to auto-enabled (or auto-triggered), you must first set the administrative state to disabled by entering the following:
SG350X(config)#voice vlan state [disabled]
disable — Disable Auto Voice Vlan or Telephony OUI.
Step 10. Press Y on your keyboard to continue.
Step 11. To enable Auto Voice VLAN, enter the following:
SG350X(config)#voice vlan state [auto-enabled]
auto-enabled — The operational state is auto-enabled.
Step 12. (Optional) To configure the voice VLAN be enabled by a trigger, enter the following:
SG350X(config)#voice vlan state [auto-triggered]
Note: In this example, auto-triggered is enabled. When the device detects a Voice VLAN advertisement, Auto Voice VLAN is activated. The operational state is auto-enabled only if one of the following occurs:
A static local configured voice VLAN ID, CoS/802.1p, and/or DSCP that is not factory default is configured.
A CDP voice VLAN advertisement is received from a neighboring CDP device that is not a device of the same family as the current device.
A VSDP message was received from a neighbor switch. VSDP is a Cisco Small Business proprietary protocol for SF and SG series managed switches.
In all other cases the operational state is disabled.
Step 13. (Optional) To restart the Voice VLAN discovery process on all Auto Voice VLAN-enabled switches in the VLAN by removing all externally learned voice VLAN attributes and resetting the voice VLAN to the default voice VLAN, enter the following:
SG350X(config)#voice vlan refresh
Step 14. Enter the exit command to go back to the Privileged EXEC mode:
SG350X(config)#exit
You should now have successfully configured the Auto Voice VLAN settings on your switch through the CLI.
Display Voice VLAN Settings
Step 1. To display the Voice VLAN status for all interfaces or for a specific interface if the Voice VLAN type is auto, enter the following:
SG350X#show voice vlan type auto [interface-id | detailed]
The options are:
type auto — Common and Auto Voice VLAN-specific parameters are displayed.
interface-id — (Optional) Specifies an Ethernet port ID.
detailed — (Optional) Displays information for non-present ports in addition to present ports.
Note: In this example, the information on the auto-enabled Voice VLAN is displayed.
Step 2. (Optional) To display the voice vlan local information about the Voice VLAN local configuration, enter the following:
SG350X#show voice vlan local
Step 3. (Optional) In the Privileged EXEC mode of the switch, save the configured settings to the startup configuration file by entering the following:
SG350X#copy running-config startup-config
Step 4. (Optional) Press Y for Yes or N for No on your keyboard once the Overwrite file [startup-config].... prompt appears.
You should now have displayed the Auto Voice VLAN configuration settings on your switch through the CLI.
... View more